Gamaredon Group Using Fresh Tools to Target Outlook
In the analysis of the new tools that Gamaredon is now deploying, ESET
researchers found that the hacking group is able to now compromise Outlook
using a custom Visual Basic for Applications - VBA - project file that
contains malicious macros. While using malicious macros to compromise Outlook
is not unusual, Gamaeredon's use of VBA is different, says Jean-Ian Boutin,
head of threat research at ESET. "What stands out in this one is the fact that
they used some novel tools," Boutin tells Information Security Media Group.
"The Outlook VBA project used to send emails from the compromised inbox to
contacts in the address book is something we've never seen before. The macro
injection module is quite interesting too. All in all, they've shown a
creativity we've not seen from them in the past." The attack starts when a
targeted device is first compromised with a phishing email that contains a
malicious Word or Excel attachment. It's these attachments that contain a
Virtual Basic script that will stop the Outlook process and disable security
tools, including those designed to protect the VBA project function, according
to the report.
How voice tech could shape the post-pandemic workplace
Though voice-based digital assistants such as Amazon Alexa or Google Home have
often been seen as home-based, Amazon has been pushing Alexa into the
corporate world with Alexa for Business in the U.S., offering integrations
that use voice commands for tasks such as managing meetings, controlling
conference room devices and even setting the room temperature. Pre-pandemic,
many businesses may have seen those capabilities as “nice to have” features,
according to the 451 Research report. But if social distancing measures remain
in place long-term, these integrations could become critical for any company
wanting to bring employees back into a physical office space. “Beyond the idea
that [a company could] bring in a third of the workforce for month one, and
then bring in another batch of the workforce, or rotate the workforce, I don't
think people have started to look at the different contact points of, say, the
furniture or how employees will be engaging with the built environment,”
Mullen said, adding that it’s likely the business handshake is now a thing of
the past.
DevSecOps vs. Agile Development: Putting Security at the Heart of Program Development
The difference between DevSecOps and agile development methodologies can be
understood in reference to one aspect of software development: security. When,
where and who implements security in software development varies between the
two approaches. Agile development methodologies focus on iterative development
cycles, in which feedback is continuously reintegrated into ongoing software
development. However, even in mature agile development processes, security is
still often added to software as an afterthought. This should not be read as
blaming software developers for often underestimating the potential harm from
malware or overlooking the importance of cybersecurity. Rather, in many
firms, it is simply not the responsibility of developers to think about the
security implications of their code, because software will be passed to the
security team before release. DevSecOps takes security and puts it on the same
level as continuous integration and delivery.
Six Former eBay Employees Charged with Aggressive Cyberstalking Campaign
According to the charging documents, the victims of the cyberstalking campaign
were a Natick couple who are the editor and publisher of an online newsletter
that covers ecommerce companies, including eBay, a multinational ecommerce
business that offers platforms for consumer-to-consumer and
business-to-consumer transactions. Members of the executive leadership team at
eBay followed the newsletter’s posts, often taking issue with its content and
the anonymous comments underneath the editor’s stories. It is alleged
that in August 2019, after the newsletter published an article about
litigation involving eBay, two members of eBay’s executive leadership team
sent or forwarded text messages suggesting that it was time to “take down” the
newsletter’s editor. In response, Baugh, Harville, Popp, Gilbert, Zea,
Stockwell, and others allegedly executed a three-part harassment campaign.
Among other things, several of the defendants ordered anonymous and disturbing
deliveries to the victims’ home, including a preserved fetal pig, a bloody pig
Halloween mask, a funeral wreath...
Ripple20 vulnerabilities will haunt the IoT landscape for years to come
These vulnerabilities -- collectively referred to as Ripple20 -- impact a
small library developed by Cincinnati-based software company Treck. The
library, believed to have been first released in 1997, implements a
lightweight TCP/IP stack. Companies have been using this library for decades
to allow their devices or software to connect to the internet via TCP/IP
connections. Since September 2019, researchers from JSOF, a small boutique
cyber consultancy firm located in Jerusalem, Israel, have been looking at
Treck's TCP/IP stack, due to its broad footprint across the industrial,
healthcare, and smart device market. Their work unearthed serious
vulnerabilities, and the JSOF team has been working with CERT (computer
emergency response teams) in different countries to coordinate the
vulnerability disclosure and patching process. In an interview with ZDNet last
week, JSOF said this operation involved a lot of work and different steps,
such as getting Treck on board, making sure Treck has patches on time, and
then finding all the vulnerable equipment and reaching out to each of the
impacted vendors.
First Four Finnish GDPR Fines Set A New Tone For Data Protection Supervision
Controllers have been relying on a certain legal certainty and status quo
expectations in their data processing practices, as well as in their attempts
in fending off unexpected supervision measures after the enactment of the
GDPR. In general, businesses have been surprised by the lack of active
guidance from the data protection authorities. In the Transparency Case, the
controller had referred to demonstrated compliance under previous Finnish data
protection legislation. The company also contended that since the Ombudsman
had looked into the company's processing activities in 2017 without any
further action until 2020, the company should have been able to trust the
lawfulness of its conduct. However, these arguments were not accepted by the
Collegial Body and the decision stressed that it was for the controller to
monitor and assess compliance with new requirements pursuant to the
GDPR.
This project is using fitness trackers and AI to monitor workers' lockdown stress
The pilot scheme at PwC came about following discussions between Cameron and
associates at IHP Analytics, a boutique analytics firm that specializes in
human performance in elite sports. The firm, which has worked alongside
professionals in Formula 1 racing and Olympic cycling, is aiding the
development of the underlying platform, which it eventually hopes to offer to
external clients. "One of the areas, even before COVID, that we knew was
developing fast was a deeper understanding of human performance and human
wellness," Cameron says. "We want to marry these two together to do something
positive for our people." Vicki Broadhurst, a senior manager at PwC,
volunteered for the trial in order to help her understand how her physical
activity linked to her cognitive performance and how she felt. She tells
TechRepublic that her participation in the trial stemmed from her own interest
in the role of artificial intelligence in psychometric testing, as well as
wanting to remain active during lockdown. "I wanted to take part in something that would challenge me to be more
active whilst I was at home all the time, as well as give me targets to work
towards," she says.
Q&A on the Book Leveraging Digital Transformation
Now, the digital age has evolved to the 2nd machine age. The machine becomes
more powerful with the evolution of computers that see outstanding and
evergrowing storage and processing capacity, as well as networking evolution,
beyond other aspects. Thanks to the fast increasing power of the computer, a
very important domain in computing that was hibernating due to computer
limitations back then, suddenly wakes up and thrives on the machine’s newfound
power. I am talking about artificial intelligence. Now, not only are computers
more powerful, but they can be given a brain with artificial intelligence,
therefore becoming smart. As a result, the intelligent computer can take over
many of the jobs that humans used to do. This is the 2nd machine age, the age
when the machine becomes smarter and smarter. The possibilities the 2nd
machine age offers are countless because it allows the transforming of every
sector, every business, everything, and even us humans. There is no limit
because anyone and everyone can innovate and further build on previous
innovations.
Assembling A Top-Notch AI Team
If anything, the roles of the data scientist or the ML engineer are perhaps
the first to focus on. They will be essential for the ultimate success of an
AI model. “If you are building a team from scratch, pay top dollar to hire a
senior ML engineer as an anchor and leader, then surround them with your best
internally applicable talent,” said Jocelyn Goldfein, who is a managing
director at Zetta Ventures Partners. In terms of recruiting the technical
talent, you need to be expansive. Look to your own network, say with LinkedIn.
Get to know new graduates who have advance degrees, even those that are not
just for computer science. “Traditional data scientist backgrounds–statistics,
math, computer science–are more commonly being augmented with engineers,
physicists, economists, psychologists, and so on,” said Justin Silver, who is
a data scientist manager and AI strategist at PROS. “Recruiting from a pool of
candidates with varying technical backgrounds can yield an AI team comprised
of a wide, rich set of perspectives for solving problems. This technical
diversity also makes collaboration more interesting and fun and encourages
team members to effectively communicate their ideas
How will technology change investment landscape going forward?
Large banks understand what’s coming, but it’s difficult to act. “So somebody
makes a presentation to the bank board saying, ‘Hey, we should do this.’ And
the board members say, ‘Well, you’re saying we should spend all this money to
basically cannibalize our business and make a lot less money?’ That’s a really
tough sell.” There will also be a shakeout in asset management, Harvey says,
where having access to better data and the ability to interpret that data will
be a key competitive edge. Pension funds that use external managers should be
asking questions about how many full-time equivalents those managers have on
machine-learning teams. “And that answer better be more than one,” he says.
“And if it’s zero, that’s potentially enough to walk away.” But while fintech
will be disruptive, it will also have very positive outcomes like reducing
costs, which is the easiest way to create alpha, Harvey says. Indeed, the
reduction of costs generates positive alpha. “It’s often the case [that] you
work really hard, you’ve got some forecasts, you’re able to do better than
your benchmark, but that is just eaten up with cost. So it looks like you just
meet the benchmark or maybe even underperform.”
Quote for the day:
:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/66921575/VRG_ILLO_4062_WFH_with_SPOT_2040.0.0.jpg)
